You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Release Notes Version 7.198.0.0
Release Date: 01/28/2022
This release contains several enhancements to the EmpowerID microservice applications and Workflow Studio.
This minor release includes several enhancements to the EmpowerID Policy-Based Access Control (PBAC) engine and the business request process to give organizations more options for controlling user access.
New Features
Onboard Azure Applications in EmpowerID
Added support for onboarding Azure applications in EmpowerID. If your organization integrates applications with Azure AD, you can manage those applications in EmpowerID, including creating new applications.
For onboarding applications, EmpowerID provides two options that you can use depending on your organization’s policies
You can require any onboarding of Azure applications to go through an approval process before those applications are created in Azure
You can allow applications to be onboarded without requiring any approvals.
Manage Client’s Certificates for Azure Applications
Added support for managing client’s certificates for Azure applications. If someone created a certificate the following things will happen:
The certificate is uploaded and added to that app in Azure
It is possible to view the certificate thumbprint post creation
The certificate is optionally saved by EmpowerID.
An app owner is able to delete the Client Secret for an existing application
An app owner is able to delete the Certificate/key for an existing application
Manage Client Secrets for Azure Applications
Added support for the app migration team to be eligible to request a new client secret for that app.
If someone created a client’s secret following things are to happen. The client secret is to be created and added for that app in Azure
The person that has accomplished the task receives a one-time view of that client’s secret and its azure id and with warning
It is possible to copy the client’s secret
Enhancements
EmpowerID to inventory and manage common user attributes.
Added support for inventory and managing the following common user attributes
EmployeeType
Manager
ExtensionAttribute1
OfficeLocation
CostCenter
Division
Recertification Policies
Added updates for the following recertification policy types:
Account Validity Type Recertification Policy – Account validity recertification is a method of determining whether or not accounts are still required.
Business Role and Location Membership Type Recertification Policy – The business role and location membership recertification process validates whether the membership of a business role and location is still required for a valid business purpose.
Group Membership Type Recertification Policy – The group membership recertification policy is used to certify group membership, including person resources for RBAC membership, group account, nested groups, and any type of direct assignment.
Group Validity Type Recertification Policy – The group validity recertification is a method of determining whether or not groups are still required. Certain actions must be made if the groups are no longer required.
Management Role Membership Type Recertification Policy – The management role membership recertification policy is to certify the current members of a management role, including people, group, and business role and location.
Management Role Access Assignment Type Recertification Policy – The management role access assignment recertification process validates whether the access granted to a management role is still required for a valid business purpose.
Management Role Validity Type Recertification Policy – The management role validity recertification is a method of determining whether or not management roles are still required.
Person Validity Type Recertification Policy – The person validity recertification is a method of determining whether or not the person is still required.
Added updates for the following recertification audit types:
Audit with Account Validity Type Recertification Policy – Account validity recertification is a method of determining whether or not accounts are still required.
Audit with Business Role and Location Membership Type Recertification Policy – The business role and location membership recertification process validates whether the membership of a business role and location is still required for a valid business purpose.
Audit with Group Membership Type Recertification Policy – The group membership recertification policy is used to certify group membership, including person resources for RBAC membership, group account, nested groups, and any type of direct assignment.
Audit with Group Validity Type Recertification Policy – The group validity recertification is a method of determining whether or not groups are still required. Certain actions must be made if the groups are no longer required.
Audit with Management Role Membership Type Recertification Policy – The management role membership recertification policy is to certify the current members of a management role, including people, group, and business role and location.
Audit with Management Role Validity Type Recertification Policy – The management role access assignment recertification process validates whether the access granted to a management role is still required for a valid business purpose.
Audit with Management Role Validity Type Recertification Policy – The management role validity recertification is a method of determining whether or not management roles are still required.
Audit with Person Validity Type Recertification Policy – The person validity recertification is a method of determining whether or not the person is still required.
Create schema extensions for Azure AD user extension attributes
Added support for creating schema extensions for Azure AD user extension attributes. For example, added 10 DirectoryExtensionAttribute1 to 10 for Account, Group, and Person components.
Implementation of directory extension attributes in both Azure AD SCIM MS and Azure AD SCIM connector is complete
Create and edit Management Role Types
Added support for creating and editing Management Role types for admins.
Management Role Naming Convention
Added support for the use of the NamePrefix and Suffix fields from the ManagementRoleType table.
Add hardcoded controls for common cases
Added hardcoded controls for common cases like
Person single autocomplete,
Person multi lookup autocomplete,
Management Role single, Management Role multi,
Group single, Group multi
Account single, Account multi
Use the assignee picker as a form control
Implemented the ability to use the assignee picker as a form control.
Resource Admin
Listing of owned applications (EmpowerID and Azure applications where the logged-in user is the Access Manager)
Application details with runnable EmpowerID actions (edit, delete, etc.)
Azure application onboarding workflow
Application "more info" box (localizable)
All microservices
Single sign-on/sign-out improvements (including token refresh)
Docker containers updated (build steps simplified, base/build images version updates)
Enhancements to Workflow Studio
New template for SCIM Microservices targeting .NET 5
New template for Azure Functions targeting .NET 5
New template for Microservices targeting .NET 5
Support .NET 6 for WFS extension/libraries
Ability to create lookups that allow the user to enter their own SQL query
Enhancements to the Business Request Engine
Added Approval Flow Step Auto Approval Rule – Allows for approvals at the step level if the current approver can make the decision without including the person who can approve it as a potential approver
Added Resource Owner Assignee to the approval control
Migrate the mobile app from Xamarin.Forms to .NET 6 MAUI
Migrated the existing mobile app from Xamarin.Forms to .NET 6 MAUI.
Removed old dependencies & use the latest Microsoft implementation
Reviewed & refactored code
UI component changed
Other Enhancements and improvements
Added Notification Queue tab to the Find Notification pages
Added Functional Access cards to the Management Role View One pages
Added deeper integration of Workflow Studio with Visual Studio 2019
Added support for externalizing workflow data to the workflow engine
Added support for navigating back in a wizard workflow implementation whilst maintaining context
Management Role Naming Convention
Implemented Management Role naming convention such that it uses the prefix and suffix from the ManagementRoleType table and it is able to evaluate expressions
For example, if the prefix for the Management Role type is set to “ACT” then the new naming convention builds the name as ACT + whatever they enter for the name field
Filter management roles
Added support for role admin, to filter management roles by selecting a reference person as a member
Can select a person and see what they are a member of resultant, direct, and what they are not a member of yet.
Filter Groups
Added support for a role admin, to filter groups by additional advanced criteria such as member and owner.
Added Support for the ability to show more information to all resources
Similar to the applications, where we have the info pop-up where we can add links as well, we introduced this ability to all the other resources.
So an end-user has the ability to show more information to all resources
For this introduced a field in the legacy UI for each of the resources that are set.
This is implemented for Groups, Business Roles, Management roles, Protected Applications, Shared Folders, Mailboxes, Computers, AZ Local roles, and Az License Pool Service Bundle.
Support for view and search for computer in IT shop
Completed the changes to allow users to request two types of access to computers
Login Session Access (PSM involves shared Credentials)
Membership Based Access (ResourceAccessRequestAssignee)
Login Session Access includes the following parameters
Users can select one-time access or Pre-approved access. On BusinessRequestItem, if the pre-approved flag is set to false, then it is one-time access and will use the start and end date for the time constraints.
Personal or SharedCredential access, On BusinessRequestItem it will be stored on RequestDataExternalObjectID
Membership Based Access
Users can select one-time access or Pre-approved access. On BusinessRequestItem, if pre-approved flag is set to false, then it is one-time access and will use start and end date for time constraint.
A person belonging to the core identity, On BusinessRequestItem it will be stored on RequestDataAssigneeID
Access Level - On BusinessRequestItem, the access level which is ResourceAccessRequestAssignee is stored on RequestDataTargetResourceTypeRoleID and group associated to the access level is stored on RequestDataAssignmentPointID, If RequestDataTargetResourceTypeRoleID is null or empty then it is login based access
Added support to have risks paths configurable in the UI
Added support for a way to have risks paths configurable in the UI to be able to aggregate by risk in the to-do and process steps
Added support to have the decisions only one time in the UI for the to-do list for risk step at the top and have a way to collapse the paths, which will be closed by default
In the process steps, we added support to have a similar way to have the aggregation of the paths for an assignee and a risk and the paths to be closed by default and have a way to collapse them.
Assign Field Types to Global Rights with Field Values
Added support for assigning field types and values to global rights/definitions errors
This is implemented for cases where values come from list data items.
Other Enhancements and improvements
Added Notification Queue tab to the Find Notification pages
Added Functional Access cards to the Management Role View One pages
Added deeper integration of Workflow Studio with Visual Studio 2019
Added support for externalizing workflow data to the workflow engine
Added support for navigating back in a wizard workflow implementation whilst maintaining context
Added support for Azure AD connector deployment.
Added support to create a simple management role access granted recertification policy type
Added support for aligning sorting/advanced search property names.
Added support for shop by applications as a requestor.
Added support to have managed access to credentials finalized.
Added support to have the ability to filter by Audit.
Added support for end-user to manage out-of-office status.
Refactored MyID microservice application.
Added support to test the PBAC PDP endpoints from the developer authorization example page.